Students hack Waze, send in army of traffic bots

Two Israeli students have successfully hacked popular
social GPS map and traffic app Waze, causing it to report a
nonexistent traffic jam.

The attack, somewhat reminiscent of the wonderfully
ridiculous Die Hard 4.0 plot, was carried out by Shir
Yadid and Meital Ben-Sinai, two software engineering students in
their fourth year at the Israel Institute of Technology.

As part of their university project, the two students
created their own program, which they used to hack into Waze in
order to cause the fake traffic jam, lasting hours. As this was an
educational endeavour, the pair was conscious of causing as little
real-world trouble as possible. With this in mind, Yadid and
Ben-Sinai generated a fake jam on a quiet back road within their
campus, but their faculty advisor, Professor Eran
Yahav, said the two students could have created the fake
traffic jam on any road in Israel, potentially causing mayhem.

In true white hat fashion, the faculty immediately
contacted Waze and informed the company of the students' actions,
highlighting the vulnerabilities in their system. They were even
kind enough to include the full academic paper behind the
project.

Doctoral student Nimrod Partush came up with the idea
a year ago after being stuck in a traffic jam with Professor Eran
Yahav. "I told Eran that had we made Waze inform drivers about a
traffic jam on the Coastal Highway before we set out, the
application would have diverted drivers to Route 4, and we could
have driven to Tel Aviv along the Coastal Highway with no traffic
jams," said Partush, in an interview with Haaretz.

It was suggested by the professor that Partush voice
his thoughts to Yadid and Ben-Sinai, who then took up the challenge
of hacking Waze. Initially the two students didn't realise how
difficult the task would be -- but as they became more involved
with the project, its complexity became evident.

Not only did they need to figure out how to create the
numerous active fake Waze accounts necessary for such a task, they
also needed to mimic false GPS information. The research was
conducted in three phases:

"We first created a system that automatically creates
multiple 'fake' android devices," Partush explained to Wired.co.uk.
"This was done by using an 'Android Emulator' -- a computer
program, supplied by Google for development purposes, that emulates
a legitimate android device. We then built a control system, using
scripting code, which allowed us to mimic interactive human input
for all the emulated devices.

"We then used the system to install and login into the
Waze application, by automating human operations required for
creating an account. This provided us with an 'army' of fake Wazers
(we called them 'Wazer bots'), which we sent to a designated road
to fake congestion in the Waze application. To send our 'Wazer
bots' to the desired road, we created a small Android application
of our own, simply called 'TrafficJam'. 'TrafficJam' generated fake
GPS coordinates, which were fed to the Waze application, making it
think our bots are every-day Wazer users, driving about the
designated road. Finally, we tuned 'TrafficJam' to generate GPS
coordinates such that our army of Wazer bots would appear to be
gradually slowing down at the designated route."

This final stage was done experimentally, and was the
most challenging part of the research for the team as they had to
detect what traffic patterns were considered as congestion by Waze.
"At that point, Waze reported the designated road to be congested,
and offered a different route through campus when asked for a
route", concludes Partush.

Following the news of the hack, some individuals have
been less than pleased, expressing concern over the moral ambiguity
of potentially inconveniencing drivers.

However, a spokesperson for the university and
Professor Yahav himself made it clear to Wired.co.uk that those who
felt there were moral issues with the experiment had misunderstood
their method:.

"First, let me assure you that there is no moral
ambiguity in this project, and we have taken extreme care to make
sure that no real Waze users are affected in a meaningful way: all
of our experiments were limited to roads inside the campus. All of
our experiments were limited to short periods of time," explained
Professor Yahav.

"We have notified Waze of our finding on 2 February,
and got an official response on 5 February. We deliberately gave
Waze more than 40 days to act on our findings before making them
public. Further, a main aspect of the academic paper that we wrote
on the topic is investigation of defense mechanisms against this
kind of Sybil attacks, and we have shared the full paper with Waze
on our initial contact with them."

The attack was carried out in a completely automatic manner,
required a low amount of resources, and involved no hacking of any
kind into the Waze application or servers. Waze, now owned by
Google after a $1.3 billion (£788 million) buyout last year, has
acknowledged the university's findings, stating it will look into
the issue.